b"                        U.S. Department of Agriculture\n\n                           Office of Inspector General\n                                    Southwest Region\n\n\n\n\n              Audit Report\n\n        Agricultural Marketing Service\nLivestock Mandatory Price Reporting System -\n             Application Controls\n\n\n\n\n                                Report No. 01099-4-Te\n                                      December 2004\n\x0c                  UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nDATE:          December 22, 2004\n\nREPLY TO\nATTN OF:       01099-4-Te\n\nSUBJECT:       Livestock Mandatory Price Reporting System - Application Controls\n\nTO:            A. J. Yates\n               Chief\n               Agricultural Marketing Service\n\nATTN:          David Lewis\n               Director, Compliance Staff\n               Agricultural Marketing Service\n\n\nThis report presents the results of the subject audit. Your response to the official draft report,\ndated December 1, 2004, is included in its entirety as exhibit A with excerpts and the Office of\nInspector General\xe2\x80\x99s position incorporated into the Findings and Recommendations section of the\nreport. Your response contained sufficient justification to reach management decisions on all\nrecommendations contained in the report.\n\nPlease follow Departmental and your internal agency procedures in forwarding final action\ncorrespondence to the Office of the Chief Financial Officer, Director, Planning and\nAccountability Division. Final action on the management decisions should be completed within\n1 year of the date of the management decisions to preclude being listed in the Department\xe2\x80\x99s\nannual Performance and Accountability Report.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during the\naudit. If you have any questions, please contact me at 720-6945, or have a member of your staff\ncontact Richard J. Davis, Director, Administration and Finance Division, at 720-1918.\n\n\n\n/s/ R. W. Young\nROBERT W. YOUNG\nAssistant Inspector General\n   for Audit\n\x0cExecutive Summary\nAgricultural Marketing Service\nLivestock Mandatory Price Reporting System - Application Controls\n(Report No. 01099-4-Te)\n\nResults in Brief     This report presents the results of our application controls audit of the\n                     Agricultural Marketing Service\xe2\x80\x99s (AMS) Livestock Mandatory Price\n                     Reporting System (LMPRS). Our objective was to evaluate whether\n                     AMS had adequate controls over the input, processing, and output of\n                     LMPRS data.        These controls include ensuring the authorization,\n                     completeness, and accuracy of the LMPRS data. AMS relies on LMPRS to\n                     provide information on pricing, contracting for purchase, and supply and\n                     demand conditions for livestock, livestock production, and livestock\n                     products, that can be readily understood by producers, packers, and other\n                     market participants. Overall, we found that AMS had authorization,\n                     completeness, and accuracy controls for LMPRS data; however, the controls\n                     need to be improved.\n\n                     The LMPRS application owner is the Livestock and Grain Market News\n                     Branch (MNB) of AMS. We found that MNB did not have adequate\n                     LMPRS application controls including access controls, technical\n                     documentation for the application, mandatory report modification process,\n                     supervisory reviews, and application monitoring. LMPRS access controls\n                     were not limited to the least privilege concept, defined as granting only the\n                     access required for a user\xe2\x80\x99s job responsibilities. While the technical system\n                     documentation for LMPRS is extensive, it did not provide a complete view\n                     of all files and database tables used within each module of the application.\n                     LMPRS reports were modified by MNB reporters, and there was no\n                     second-party review before the reports were posted on the AMS website.\n                     There were no routine supervisory reviews of MNB reporters\xe2\x80\x99 work and no\n                     documentation of reviews that were performed. Reviews of the daily\n                     LMPRS operation needed to be improved including monitoring logs and\n                     authorized user tables. Therefore, LMPRS application had an increased\n                     vulnerability in several areas that could result in unauthorized access and\n                     errors in mandatory reports that were posted on the AMS website for the\n                     public\xe2\x80\x99s use. However, there was no evidence that any instances of\n                     unauthorized access have occurred. During our fieldwork, MNB initiated\n                     action to ensure LMPRS user access was based on least privilege.\n\n                     We also found that MNB did not have adequate management controls to\n                     ensure that Federal and Departmental guidance on information technology\n                     issues was implemented. The LMPRS security plan did not meet Federal and\n                     Departmental requirements, including warning banner displays, password\n                     expiration, and the locking out of administrator accounts. In addition,\n\nUSDA/OIG-A/01099-4-Te                                                                      Page i\n\x0c                    MNB had not submitted any of the required data to address identified\n                    weaknesses for the agency Plan of Action and Milestones. MNB also was not\n                    performing scans of the LMPRS network. MNB was not aware of these\n                    requirements, and the AMS Chief Information Officer had not made it a\n                    practice to provide information on these items unless a request was received\n                    due to the workload and loss of staff.               We also found that the\n                    LMPRS application had not been certified before it went into production in\n                    April 2001. Officials did not adhere to Departmental guidance and stated that\n                    application certifications were not a priority throughout the Government at that\n                    time. The absence of a system certification increases the risk that the\n                    LMPRS application could be vulnerable to security breaches and\n                    cyber-related attacks. During our fieldwork, MNB corrected one security\n                    plan deficiency (banner display). They also instituted scans for LMPRS\n                    application servers.\n\nRecommendations\nIn Brief\n                    We recommend that AMS:\n\n                    \xe2\x80\xa2   Establish and implement application controls to strengthen access\n                        privileges, report modifications, supervisory reviews, technical\n                        documentation, and application monitoring.\n                    \xe2\x80\xa2   Establish and implement management controls to ensure that Federal and\n                        Departmental guidance is followed regarding the security plan, Plan of\n                        Action and Milestones, application certification, and scans.\n\nAgency Response     In a letter dated December 1, 2004, and subsequent correspondence,\n                    AMS concurred with all of the findings and recommendations and provided\n                    proposed actions and completion dates for each recommendation.\n                    (See exhibit A.)\n\nOIG Position        We accept the management decisions for all of the recommendations\n                    contained in the report. For final action, AMS needs to provide the Office of\n                    the Chief Financial Officer, Director, Planning and Accountability\n                    Division (OCFO/PAD), documentation as outlined in the Office of Inspector\n                    General\xe2\x80\x99s (OIG) Position sections of the report.\n\n\n\n\nUSDA/OIG-A/01099-4-Te                                                                       Page ii\n\x0cAbbreviations Used in This Report\n\n\nADP         Automated Data Processing\nAMS         Agricultural Marketing Service\nCIO         Chief Information Officer\nDM          Departmental Manual\nGAO         Government Accountability Office\nIT          Information Technology\nLMPRS       Livestock Mandatory Price Reporting System\nMNB         Livestock and Grain Market News Branch of AMS\nNIST        National Institute of Standards and Technology\nOCFO/PAD    Office of the Chief Financial Officer, Director,\n            Planning and Accountability Division\nOCIO        Office of the Chief Information Officer\nOIG         Office of Inspector General\nOMB         Office of Management and Budget\nPOA&M       Plan of Action and Milestones\nUSDA        U. S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/01099-4-Te                                          Page iii\n\x0cTable of Contents\nExecutive Summary .................................................................................................................................i\n\n\nAbbreviations Used in This Report ......................................................................................................iii\n\n\nBackground and Objectives ................................................................................................................... 1\n\n\nFindings and Recommendations............................................................................................................ 3\n\n\n    Section 1         Application Controls Need Improvement ................................................................... 3\n\n        Finding 1             LMPRS Application Controls Were Inadequate .................................................... 3\n                                Recommendation No. 1.................................................................................... 7\n                                Recommendation No. 2.................................................................................... 8\n                                Recommendation No. 3.................................................................................... 8\n                                Recommendation No. 4.................................................................................... 9\n                                Recommendation No. 5.................................................................................... 9\n                                Recommendation No. 6.................................................................................. 10\n\n    Section 2         Management Controls Need Improvement ............................................................... 11\n\n        Finding 2             Information System Documentation and Policies Need Improvement ................. 11\n                                  Recommendation No. 7.................................................................................. 15\n                                  Recommendation No. 8.................................................................................. 15\n                                  Recommendation No. 9.................................................................................. 16\n                                  Recommendation No. 10................................................................................ 16\n                                  Recommendation No. 11................................................................................ 16\n                                  Recommendation No. 12................................................................................ 17\n\nGeneral Comments ............................................................................................................................... 18\n\n\nScope and Methodology........................................................................................................................ 19\n\nExhibit A \xe2\x80\x93 Agency Response .............................................................................................................. 21\n\n\n\n\nUSDA/OIG-A/01099-4-Te                                                                                                                    Page iv\n\x0cBackground and Objectives\nBackground   Application controls are the structure, policies, and procedures that apply to\n             separate, individual application systems. An application system is typically a\n             collection or group of individual computer programs that relate to a common\n             function. In the Federal Government, some applications may be complex,\n             comprehensive systems involving numerous computer programs and\n             organizational units, such as those associated with benefit payment systems.\n             Application controls can encompass both the routines contained within the\n             computer program code and the policies and procedures associated with user\n             activities, such as manual measures performed by the user to determine that\n             data was processed accurately.\n\n             Application controls help make certain that transactions are valid, properly\n             authorized, and completely and accurately processed. They are commonly\n             categorized into three phases of a processing cycle:\n\n              \xe2\x80\xa2   Input\xe2\x80\x94data are authorized, converted to an automated form, and entered\n                  into the application in an accurate, complete, and timely manner.\n\n              \xe2\x80\xa2   Processing\xe2\x80\x94data are properly processed by the computer and files are\n                  updated correctly.\n\n              \xe2\x80\xa2   Output\xe2\x80\x94files and reports generated by the application actually occur and\n                  accurately reflect the results of processing and reports are controlled and\n                  distributed to the authorized users.\n\n             AMS\xe2\x80\x99 LMPRS Application\n\n             The U.S. Department of Agriculture's (USDA) Agricultural Marketing Service\n             (AMS) administers programs that facilitate the efficient, fair marketing of\n             U.S. agricultural products, including food, fiber, and specialty crops.\n             AMS includes six commodity divisions: Cotton, Dairy, Fruit and Vegetable,\n             Livestock and Feed, Poultry, and Tobacco.\n\n             AMS\xe2\x80\x99 Livestock Mandatory Price Reporting System (LMPRS) contains\n             information about livestock pricing, contracting arrangements, and supply and\n             demand conditions. The Livestock and Grain Market News Branch (MNB) of\n             AMS implemented the LMPRS in April 2001 in response to the Livestock\n             Mandatory Reporting Act of 1999 (Act), part of the Fiscal Year 2000\n             Agricultural Appropriation Bill. Under the Act, larger livestock packers,\n             processors, and importers electronically report certain market information\n             regarding transactions of cattle, swine, lamb, and livestock products to USDA.\n             LMPRS is designed to collect the information and summarize it in the form of\n             national reports, which are available to the public on the AMS website.\n\x0c                          Approximately 134 meat processing plants submit mandatory data to the\n                          LMPRS application on a daily and weekly basis. At least two times each day,\n                          reporters in the MNB field offices in Des Moines, Iowa, and St. Joseph,\n                          Missouri, manually import the market information received from the plants\n                          into the LMPRS production database. The reporters have approximately\n                          1 hour from importing the data to create reports and post them to the\n                          AMS website.\n\n                          The LMPRS application servers are located at two sites - Ashburn, Virginia\n                          (primary servers), and Richardson, Texas (secondary servers). The LMPRS\n                          network is external to the Department\xe2\x80\x99s network, which was unable to\n                          accommodate LMPRS activity.\n\n                          Three contractors and one subcontractor support the LMPRS application. The\n                          application contractor developed and maintains the application and is also the\n                          system administrator for the LMPRS application. The facility contractor\n                          stores AMS-owned servers and other hardware on its property in a secure and\n                          protected room. The hardware maintenance contractor provides maintenance\n                          functions for hardware switch configuration and supports the firewalls used to\n                          protect the LMPRS application. The firewall subcontractor manages the\n                          LMPRS firewall and intrusion detection systems.\n\n                          The following diagram illustrates the data flow of the LMPRS application:\n\n\n                             `\n                                                                     Meat Processing Plants\n\n        Ashburn, VA (Primary Servers)       Firewall\n\n\n\n\n                                                                                              AMS Users\n\n                                                  Internet\n\n\n                                                              USDA Network\n\n     Richardson, TX (Secondary Servers)\n\n\n                                                 Firewall\n\n\n\n\nObjective                 The objective of this audit was to determine whether AMS had established\n                          adequate controls to ensure that data entered into LMPRS are properly\n                          authorized, completely processed, and accurately processed.\n\x0cFindings and Recommendations\nSection 1          Application Controls Need Improvement\n\n\n\n    Finding 1                      LMPRS Application Controls Were Inadequate\n\n                                  Our review of LMPRS application controls disclosed several weaknesses\n                                  involving the assignment of access privileges, reviews by supervisors of\n                                  modified reports, technical documentation, reviews and documentation of\n                                  reporter\xe2\x80\x99s daily activities, and reviews of the daily operations of the\n                                  LMPRS application. The causes of the weaknesses in each of the five areas\n                                  are outlined in the sections below. As a result, the LMPRS application has\n                                  an increased vulnerability in several areas that could result in unauthorized\n                                  access and errors in mandatory reports that are posted on the AMS website.\n                                  (Although, we did not identify any instances of unauthorized access.)\n\n                                  Access Controls\n\n                                  An excessive number of LMPRS users had access privileges that exceeded\n                                  the needs of their job responsibilities. Inadequate internal controls allowed\n                                  MNB staff to routinely assign the same access privilege to internal users\n                                  without considering the users\xe2\x80\x99 job responsibilities. As a result, the\n                                  LMPRS application had an increased risk of unauthorized use, such as the\n                                  creation and deletion of valid/invalid users or unauthorized access to valid\n                                  LMPRS accounts.\n\n                                   Federal,1 Departmental,2 and National Institute of Standards and Technology\n                                   (NIST)3 guidance state users should be granted access based on the least\n                                   privilege concept. Least privilege refers to the security objective of granting\n                                   users only those accesses they need to perform their official responsibilities.\n\n                                  Access controls over system and application data include both physical and\n                                  logical controls and should provide reasonable assurance that computer\n                                  resources (data files, application programs, and computer equipment) are\n                                  protected against unauthorized modification, disclosure, loss, or impairment.\n                                  Logical access controls, such as user names, passwords, and access\n                                  permissions, ensure that only authorized users have access to network\n                                  resources from their workstations, and that users are granted only the access\n                                  that is needed to conduct their job responsibilities.\n\n\n\n\n1\n  Office of Management and Budget (OMB) Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d section A, dated\nNovember 28, 2000\n2\n  Departmental Manual (DM) 3140-1, Management ADP Security Manual, Appendix D, section 7 - Vulnerability to Unauthorized Disclosure, dated\nJuly 19, 1984\n3\n  NIST SP800-12, An Introduction to Computer Security: The NIST Handbook, Chapter 10, section 10.2.1, dated October 1995\n\x0c                                    There were three groups of users who accessed LMPRS: AMS users4\n                                    (47 user accounts), meat processing plant users (134 user accounts), and\n                                    LMPRS system administrators (4 user accounts - all application contractors).\n                                    AMS and meat processing plant user accounts are created and deleted by\n                                    MNB information technology (IT) specialists. Meat processing plant users\n                                    have a \xe2\x80\x9cplant\xe2\x80\x9d access profile, which allows limited privileges. An AMS user\n                                    can have a \xe2\x80\x9creporter\xe2\x80\x9d access profile, an \xe2\x80\x9cadministrator\xe2\x80\x9d access profile, or a\n                                    \xe2\x80\x9creporter/administrator\xe2\x80\x9d profile. An LMPRS user with the \xe2\x80\x9cadministrator\xe2\x80\x9d\n                                    access profile is allowed to modify users and passwords for the\n                                    LMPRS application. The type of profile is chosen when MNB IT specialists\n                                    create the AMS user account.\n\n                                    MNB staff stated that they routinely gave AMS users both \xe2\x80\x9creporter\xe2\x80\x9d and\n                                    \xe2\x80\x9cadministrator\xe2\x80\x9d access profiles. We found 36 of 47 AMS users had\n                                    \xe2\x80\x9cadministrator\xe2\x80\x9d access profiles. MNB stated that this had occurred due to the\n                                    need to allow the reporters access to other data that was needed for their job\n                                    responsibilities and because the staff routinely gave both profiles to\n                                    AMS users. In a prior audit report,5 OIG found that least privilege was an\n                                    issue for other AMS applications that were reviewed. During our fieldwork,\n                                    MNB modified which AMS users were allowed access to the\n                                    LMPRS application and had the contractor modify the users\xe2\x80\x99 access profiles.\n                                    After the modifications, there were nine users with the\n                                    \xe2\x80\x9creporter/administrator\xe2\x80\x9d profile (six AMS users and three application\n                                    contractors) whose job responsibilities required the access profile.\n\n                                    Report Modification\n\n                                    Some LMPRS application reports were routinely modified and posted on the\n                                    website without further review. MNB did not have adequate internal controls\n                                    to ensure that modified reports were subject to a second-party review by\n                                    reporters\xe2\x80\x99 peers before being published on the AMS website. The\n                                    supervisors considered the reporters experts and did not feel a review was\n                                    necessary. As a result, there was an increased risk of errors in the mandatory\n                                    reports posted on the AMS website for public use.\n\n                                    MNB desk procedures require reporters to review the reports they produce\n                                    before posting on the AMS website. Reporters work in pairs and review\n                                    portions of each other\xe2\x80\x99s work. However, the desk procedures did not require\n                                    second-party review of reports before they were posted on the website.\n                                    Federal guidance6 states internal controls should provide reasonable\n                                    assurance that the objectives of the agency are being achieved, including\n                                    reliability of reports for internal and external use, and should be designed to\n                                    assure that ongoing monitoring occurs in the course of normal operations.\n                                    Internal controls should be performed continually and be ingrained in the\n\n4\n  AMS users consist of AMS Audit Review and Compliance Auditors and MNB users.\n5\n  Audit Report No. 01099-1-FM, \xe2\x80\x9cSecurity Over Information Technology Resources at the Agricultural Marketing Service,\xe2\x80\x9d dated March 2002\n6\n  Government Accountability Office (GAO), Standards for Internal Control in the Federal Government, Introduction and Monitoring Sections, dated\nNovember 1999\n\x0c                                   agency\xe2\x80\x99s operations, including regular management and supervisory\n                                   activities, comparisons, reconciliations, and other actions people take in\n                                   performing their duties.\n\n                                   During our fieldwork, we observed the modification of two daily mandatory\n                                   reports before they were posted on the AMS website. A trend number for a\n                                   swine report was manually calculated and then changed, and data for a boxed\n                                   beef report was modified to meet mandatory confidentiality criteria. We\n                                   determined that the trend number could be calculated by the application if a\n                                   modification was made to the application. MNB officials were aware of this\n                                   and had requested changes to the LMPRS application about 2 years ago. Due\n                                   to a change in personnel, the issue was never resolved. MNB supervisors\n                                   explained that there was no second-party review because the reporters are\n                                   considered the experts. MNB officials requested the application contractor\n                                   determine what type of effort would be involved in making a program change\n                                   to the trend calculation. However, the confidentiality data for the boxed beef\n                                   report could not be handled by the application because parameters change\n                                   frequently. During our fieldwork, MNB officials agreed that it was\n                                   reasonable to pursue establishing procedures for second-party reviews of\n                                   LMPRS reports.\n\n                                   Technical Documentation\n\n                                   While the technical system documentation for LMPRS is extensive, it did not\n                                   provide a complete view of all files and database tables used within each\n                                   module of the application. MNB did not have adequate internal controls\n                                   requiring detailed technical documentation because they felt the\n                                   documentation MNB requested of the contractor was adequate. In addition,\n                                   MNB relied heavily on the current application contractor to provide technical\n                                   information for the LMPRS application. There was a risk of system\n                                   downtime if the current MNB application contractor was no longer available.\n\n                                   Departmental7 guidance states that agencies with new or significantly\n                                   modified application systems should assure the development of adequate\n                                   systems, program, operational, and user documentation and recognize8 the\n                                   risk of a heavy reliance on contractors or other related parties to perform\n                                   critical agency functions.\n\n                                   NIST guidance9 states documentation of all aspects of computer support and\n                                   operations is important to ensure continuity and consistency. The guidance\n                                   also states formalizing operational practices and procedures in sufficient\n                                   detail helps to eliminate security lapses and oversights, gives new personnel\n                                   sufficiently detailed instructions, and provides a quality assurance function to\n                                   help ensure that operations will be performed correctly and efficiently.\n\n\n7\n  DM 3140-1, Management ADP Security Manual, Section 17 - Application System Development, dated July 19, 1984\n8\n  DM 1110-2, Management Control Manual, Chapter 2, section 5 - Guidelines for Developing a Management Control Process, dated November 29, 2002\n9\n  NIST SP800-12, An Introduction to Computer Security: The NIST Handbook, Chapter 14, section 14.6, dated October 1995\n\x0c                                      The contractor provided a user guide for plant users and an administrator\xe2\x80\x99s\n                                      guide for MNB users. There also is contractor-provided documentation for\n                                      certain program functions used by the application and a high-level flowchart\n                                      of the application.     However, there is no comprehensive technical\n                                      documentation that describes all of the application\xe2\x80\x99s tables and files\n                                      including how transactions flow through the application. MNB felt that the\n                                      original documentation requested from the contractor was sufficient.\n                                      However, MNB officials have agreed that additional technical documentation\n                                      should be obtained and stated the application contractor would be consulted\n                                      on this issue.\n\n                                      Supervisory Reviews\n\n                                      MNB field office staff did not routinely perform supervisory reviews of\n                                      MNB reporters\xe2\x80\x99 daily activities, and the reviews that were performed were\n                                      not documented. MNB did not have adequate internal controls for review of\n                                      MNB reporters\xe2\x80\x99 daily activities because supervisors did not believe it was\n                                      necessary. There is an increased risk of errors occurring in the mandatory\n                                      report process.\n\n                                      Federal guidance10 states internal control should generally be designed to\n                                      assure that ongoing monitoring occurs in the course of normal operations,\n                                      that it is performed continually and is ingrained in the agency\xe2\x80\x99s operations,\n                                      and that it includes regular management and supervisory activities,\n                                      comparisons, reconciliations, and other actions people take in performing\n                                      their duties.\n\n                                      We interviewed supervisors and managers at the Des Moines field office.\n                                      They stated that there was no documentation of, or consistent schedule for,\n                                      supervisory reviews of the reporters\xe2\x80\x99 work, including transactions that are\n                                      excluded from the mandatory LMPRS reports posted on the AMS website.\n                                      The reporters submit a Daily Report Log, which summarizes the reporting\n                                      activities each day, to supervisors. The Daily Report Logs contain the time\n                                      of import of records, list of packers not submitting data and reason and\n                                      percentage of records excluded, and the percent of records used in the\n                                      reports. However, the supervisors do not routinely review the reporters\xe2\x80\x99\n                                      daily work that is summarized in the logs. MNB supervisors stated that the\n                                      reporters were experts and that they trusted the reporters\xe2\x80\x99 judgment in\n                                      making decisions.\n\n                                      Application Monitoring\n\n                                      MNB did not routinely monitor the daily operations of the application such\n                                      as adequately reviewing database tables containing authorized users, firewall\n                                      logs, and web server logs. MNB did not have adequate internal controls in\n                                      place because officials were satisfied with their current monitoring activities.\n\n10\n     GAO, Standards for Internal Control in the Federal Government, Monitoring Section, dated November 1999\n\x0c                                      Insufficient monitoring may increase the vulnerability of LMPRS to attacks,\n                                      including inappropriate or unauthorized access and potential system\n                                      downtime.\n\n                                      Federal guidance11 states internal control should generally be designed to\n                                      assure that ongoing monitoring occurs in the course of normal operations,\n                                      that it is performed continually and is ingrained in the agency\xe2\x80\x99s operations,\n                                      and that it includes regular management and supervisory activities,\n                                      comparisons, reconciliations, and other actions people take in performing\n                                      their duties. The guidance12 also states management should ensure that skill\n                                      needs are continually assessed and that the organization is able to obtain a\n                                      workforce that has the required skills that match those necessary to achieve\n                                      organizational goals. Training should be aimed at developing and retaining\n                                      employee skill levels to meet changing organizational needs.\n\n                                      While the contractor monitors the firewall logs, MNB officials receive a\n                                      summary of these logs daily, which contains the top threats and top threat\n                                      sources for that day. MNB officials stated that they did not know much\n                                      about the firewall logs. We obtained examples of the types of training the\n                                      MNB IT staff had recently received; however, the list did not include any\n                                      type of firewall training. MNB was not performing reviews of the authorized\n                                      application users and web server access logs. The web server logs contain\n                                      transaction data of submissions and retrievals of information from the\n                                      application. The transactions that are recorded by these logs also can be used\n                                      to monitor the date and time LMPRS users accessed the application.\n                                      MNB officials stated they have routine meetings with the application\n                                      contractor; however, there were no routine reviews of server logs.\n                                      MNB officials did not have routine meetings with the other two contractors\n                                      (firewall and facility).\n\nRecommendation No. 1\n\n                                       Establish and implement application controls to ensure that LMPRS users\n                                       are given only the access privileges required for assigned job duties.\n\n                                       Agency Response. AMS concurs with this recommendation. During the\n                                       review, MNB staff modified the user access privileges to ensure that only\n                                       those users whose job responsibilities require Administrator access have that\n                                       privilege. No later than May 31, 2005, AMS will develop written procedures\n                                       that will be incorporated in the Trusted Facilities Manual, developed during\n                                       the certification and accreditation process, for MNB IT staff to follow when\n                                       establishing new AMS and plant user accounts to ensure that Administrator\n                                       access is given only to those users that require it.\n\n\n\n\n11\n     GAO, Standards for Internal Control in the Federal Government, Monitoring Section, dated November 1999\n12\n     GAO, Standards for Internal Control in the Federal Government, Managing Human Capital, dated November 1999\n\x0c                  OIG Position.        We accept the AMS management decision for\n                  Recommendation No. 1. In our opinion, final action will be completed\n                  when AMS provides OCFO/PAD documentation of the written procedures\n                  that have been developed to ensure that Administrator access is given only\n                  to AMS and plant user accounts that require it.\n\nRecommendation No. 2\n\n                  Determine all the mandatory reports that are modified before posting to the\n                  AMS website. For each report that is modified, (a) establish and implement\n                  application controls to ensure that the report is reviewed for correctness\n                  before being posted on the website, and (b) where possible, change the\n                  application to perform the needed functions.\n\n                  Agency Response. AMS concurs with this recommendation. No later\n                  than May 31, 2005, MNB will determine all of the mandatory reports that\n                  are modified prior to being posted on the AMS website and will establish\n                  written procedures in an LMPRS reporter desk manual to ensure that all of\n                  the reports are subject to a second-party review by another reporter prior to\n                  publication. With respect to the reports that are being modified due to\n                  confidentiality concerns, AMS has determined that it is not possible to\n                  modify the application to perform this function. With respect to the swine\n                  reports in which a trend number is manually calculated, AMS will pursue\n                  modifying the application to perform this function in the next swine\n                  enhancement effort, which is anticipated to occur in fiscal year 2006.\n\n                  On December 8, 2004, AMS provided correspondence with the following\n                  clarification: With respect to the AMS response to Recommendation No. 2,\n                  the swine reports that are modified to manually calculate the trend number\n                  will be subject to the second-party review procedures that AMS will\n                  establish, no later than May 31, 2005, until such time that the application is\n                  modified to perform this function.\n\n                  OIG Position.       We accept the AMS management decision for\n                  Recommendation No. 2. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of the written procedures that\n                  have been developed to ensure the correctness of modified reports.\n\nRecommendation No. 3\n\n                  Obtain necessary technical documentation for LMPRS.\n\n                  Agency Response. AMS concurs with this recommendation. While\n                  AMS believes the current technical documentation for LMPRS is extensive,\n                  as a part of the contract that was awarded in September 2004 for the fiscal\n                  year 2004 enhancements, additional system documentation will be\n                  developed that details all of the application\xe2\x80\x99s tables and files, including how\n\x0c                  transactions flow through the applications. This will be completed no later\n                  than May 31, 2005.\n\n                  OIG Position.     We accept the AMS management decision for\n                  Recommendation No. 3. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD evidence of the additional LMPRS\n                  documentation.\n\nRecommendation No. 4\n\n                  Establish and implement application controls for reviews of MNB reporters\xe2\x80\x99\n                  activities, including documentation of the reviews.\n\n                  Agency Response. AMS concurs with this recommendation. No later\n                  than May 31, 2005, MNB will develop procedures to be incorporated in the\n                  LMPRS reporter desk manual to document weekly reviews of\n                  MNB reporters\xe2\x80\x99 activities, including transactions that were excluded from\n                  the LMPRS reports, by the appropriate supervisor(s).\n\n                  OIG Position.          We accept the AMS management decision for\n                  Recommendation No. 4. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of the written procedures that\n                  have been developed to ensure supervisory reviews of MNB reporters\xe2\x80\x99\n                  activities are performed and documented.\n\nRecommendation No. 5\n\n                  Establish and implement application controls for review of the daily\n                  operations of the LMPRS application.\n\n                  Agency Response. AMS concurs with this recommendation. No later\n                  than May 31, 2005, AMS will establish and implement controls to review\n                  the daily operations of the LMPRS application. As a part of the contract that\n                  was awarded in September 2004 for the fiscal year 2004 enhancements, the\n                  LMPRS application will generate a nightly audit report that will include\n                  items such as the number of imports run (including details for each import),\n                  total LMPRS records processed, total LMPRS bad records detected, the\n                  number of reports run (including details for each report), user account\n                  details, and other application information.\n\n                  OIG Position.     We accept the AMS management decision for\n                  Recommendation No. 5. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of the written procedures that\n                  have been developed to review the daily operations of the LMPRS\n                  application.\n\x0cRecommendation No. 6\n\n                  Establish and implement application controls to ensure that the appropriate\n                  personnel receive adequate training to monitor the LMPRS application.\n\n                  Agency Response. AMS concurs with this recommendation. AMS has\n                  outsourced both the overall administration of the system, including\n                  management of the system firewalls, to third-party contractors.\n                  AMS believes these contractors have the qualifications and skills necessary\n                  to effectively carry out these tasks. In the event that additional expertise is\n                  needed to review either firewall logs or other system functions, agency\n                  IT personnel are available to MNB for consultation as needed. If AMS\n                  believes further training is needed for overall program management,\n                  AMS will pursue obtaining additional training as appropriate.\n\n                  OIG Position.     We accept the AMS management decision for\n                  Recommendation No. 6. The proposed actions, in our opinion, are sufficient\n                  for final action.\n\x0cSection 2           Management Controls Need Improvement\n\n\n\nFinding 2                           Information System                       Documentation                 and        Policies         Need\n                                    Improvement\n\n                                    Our review of the LMPRS application disclosed several conditions that were\n                                    not in accordance with Federal and Departmental guidance. The security\n                                    plan did not address all requirements. MNB did not submit Plan of Action\n                                    and Milestones (POA&M) data to address LMPRS application weaknesses.\n                                    MNB had not certified the LMPRS application or performed scans of the\n                                    LMPRS network for system vulnerabilities. The cause of the conditions was\n                                    that AMS had inadequate management controls to ensure Federal and\n                                    Departmental guidance was followed, as outlined in the sections below. As\n                                    a result, the LMPRS application could be vulnerable to security breaches and\n                                    cyber-related attacks.\n\n                                    Security Plan\n\n                                    The LMPRS security plan did not address all Federal and Departmental\n                                    requirements including waivers for noncompliance with policies requiring\n                                    warning banner displays, user password expiration, and locking out of\n                                    administrator accounts on the LMPRS servers. In addition, the security plan\n                                    did not indicate the current status of all elements outlined in the security plan\n                                    guidance. AMS\xe2\x80\x99 CIO had not informed MNB of the requirements outlined\n                                    in the guidance. Thus, MNB officials were not aware of all the requirements\n                                    outlined by the guidance. As a result, the LMPRS application could be\n                                    vulnerable to security breaches.\n\n                                    Federal guidance13 states that all major applications and general support\n                                    systems containing sensitive information require protection to assure their\n                                    integrity, availability, or confidentiality, and therefore require security plans.\n                                    Departmental guidance requires warning14 banners, password15 expiration,\n                                    and locking out of user accounts.16 Further,17 when it is not feasible to apply\n                                    a particular standard to an existing automated data processing (ADP) system\n                                    without excessive costs, agencies are to devise an alternate scheme for\n                                    adequate protection and then request a waiver. Office of the Chief\n                                    Information Officer (OCIO) guidance18 also requires the security plan to\n                                    discuss upcoming agency plans for implementing the agency security\n                                    awareness, training, and education programs including planned annual\n\n\n13\n   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d section A, dated November 28, 2000\n14\n   Departmental Regulation 3140-1, USDA Information Systems Security Policy, Section 15 - System Warning Message, dated May 15, 1996\n15\n   DM 3140-1, Management ADP Security Manual, Appendix D, section 6, part b, dated July 19, 1984\n16\n   DM 3140-1, Management ADP Security Manual, Appendix D, section 5 - Requirements, dated July 19, 1984\n17\n   DM 3140-1, Management ADP Security Manual, Section 7 - Security Program Requirements, dated July 19, 1984\n18\n   OCIO Cyber Security (CS)-25,Annual Agency Security Plans for Information Technology Systems and Security Programs Guidance, dated\nApril 8, 2003\n\x0c                                       security seminars. The Departmental OCIO\xe2\x80\x99s office issued a letter19 stating\n                                       annual security plans are recognized as one tool to assess and report on the\n                                       protection of agency assets. Therefore, it is critical that they be\n                                       prepared/updated on a regular basis with the most current information\n                                       concerning each agency\xe2\x80\x99s information security practices.\n\n                                       The most recent LMPRS security plan, dated January 6, 2004, stated, \xe2\x80\x9cThe\n                                       LMPRS does not display banners or legal notices prior to the display of the\n                                       logon dialog box. Implementing this would require an administrator to\n                                       physically click \xe2\x80\x98ok\xe2\x80\x99 to get past the desktop, which would prevent certain\n                                       critical applications in the startup group not to start without a manual\n                                       interface. Servers are set up to automatically reboot periodically,\n                                       implementing the above requirement would impact this job.\xe2\x80\x9d The security\n                                       plan also stated that LMPRS user passwords did not expire. In addition, the\n                                       security plan stated, \xe2\x80\x9cThere is currently no lockout feature in place for the\n                                       LMPRS servers. All accounts belong to the administrator group, and\n                                       therefore cannot be locked out or disabled.\xe2\x80\x9d When asked about the\n                                       above-mentioned requirements, MNB responded that it was not aware that\n                                       waivers were required for conditions that did not comply with security plan\n                                       guidance until notified by OIG during our fieldwork. During our fieldwork,\n                                       MNB modified the application to display warning banners, and has initiated\n                                       changes to the application to resolve the password expiration issue.\n                                       MNB stated it would pursue getting a waiver for the locking out of the\n                                       system administrator accounts from OCIO and also discuss the need to have\n                                       the system administrator accounts lock out.\n\n                                       The LMPRS security plan did not include the frequency of security training,\n                                       as required by the OCIO guidance stated above. MNB stated that there was\n                                       annual security training for personnel as well as training on the\n                                       LMPRS application before using the application, even though it was not\n                                       noted in the security plan. Also, the wording in the security plan did not\n                                       always indicate the current status of the element being reported on. For\n                                       instance, the word \xe2\x80\x9cshould\xe2\x80\x9d used in the Rules of Behavior section does not\n                                       indicate if the rules are being used.\n\n                                       Plan of Action and Milestones\n\n                                       MNB did not prepare and submit POA&M data to address identified\n                                       weaknesses in the LMPRS application. The AMS CIO had not informed\n                                       MNB of the requirements outlined in the Federal guidance. Thus,\n                                       MNB officials were not aware of all the requirements outlined by the\n                                       Federal20 guidance. The LMPRS application could be vulnerable to any\n                                       weaknesses that have been identified in risk assessments, network\n                                       vulnerability scans, and audit reports.\n\n\n\n19\n     OCIO Letter, Annual Agency Security Plans for Information Technology Systems and Security Programs, dated April 28, 2003\n20\n     OMB, Memorandum for the Heads of Executive Departments and Agencies, M-02-01, dated October 17, 2001\n\x0c                                    Federal guidance21 states, \xe2\x80\x9cAn agency should develop a separate POA&M\n                                    for every program and system for which weaknesses were identified * * *.\xe2\x80\x9d\n                                    The guidance further states, \xe2\x80\x9cThereafter, brief status updates must be\n                                    submitted on a quarterly basis.\xe2\x80\x9d\n\n                                    MNB was not aware of the submission requirements for a POA&M until\n                                    notified by OIG during our fieldwork. The AMS CIO stated that his office\n                                    was responsible for preparing the POA&M for the agency and that each\n                                    branch was responsible for reporting vulnerabilities. We obtained a copy of\n                                    the most recent POA&M submissions from the AMS CIO. There were no\n                                    submissions from MNB. Although AMS\xe2\x80\x99 CIO did not make it a practice to\n                                    send out specific communications on Departmental requirements because of\n                                    the workload and loss of staff, the AMS CIO\xe2\x80\x99s office was available to\n                                    consult with the branches.\n\n                                    Since the LMPRS vulnerabilities from a recent risk assessment were not\n                                    \xe2\x80\x9chigh\xe2\x80\x9d risk, MNB made the decision to include the complete POA&M in the\n                                    planned certification and accreditation process due in September 2004. The\n                                    AMS CIO stated that his office formed a new Cyber Security Branch in\n                                    June 2004 that will be more involved with each of the AMS program areas.\n\n                                    Certification and Accreditation\n\n                                    The LMPRS application had not been certified and accredited. MNB did not\n                                    follow Federal and Departmental guidance requiring certification and\n                                    accreditation when the application went into production in April 2001 and\n                                    had not pursued the matter since. As a result, the LMPRS application could\n                                    be vulnerable to security breaches and cyber-related attacks.\n\n                                    Departmental guidance22 states the need for certification is recognized by the\n                                    OMB23 and that Federal agencies are required to certify the security of\n                                    sensitive computer application systems and perform recertification at least\n                                    every 3 years.\n\n                                    MNB officials stated that when the LMPRS went into production in\n                                    April 2001, the certification and accreditation process was not adhered to on\n                                    a Departmental level. The Department has set September 2004 as the date\n                                    for certifications to be completed, and MNB stated that the LMPRS\n                                    certification process should be completed before September 2004. The\n                                    AMS CIO agreed with the branch\xe2\x80\x99s assessment that the Department had not\n                                    been adhering to the certification requirements in the past. The CIO stated\n                                    that Federal guidance had not been in place for the process and had been\n                                    recently developed. The AMS CIO also stated that his office formed a new\n                                    Cyber Security Branch in June 2004 that will be more involved with each of\n                                    the AMS program areas.\n\n21\n   OMB, Memorandum for the Heads of Executive Departments and Agencies, M-02-01, dated October 17, 2001\n22\n   DM 3140-1, Management ADP Security Manual, Section 12 - Application Certification and Recertification, dated July 19, 1984\n23\n   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d General Support Systems, dated November 28, 2000\n\x0c                                     Network Scans\n\n                                     The current LMPRS network was not being scanned at the time of our\n                                     fieldwork. MNB had no formal policies and procedures in place to ensure\n                                     network scans are completed and corrective actions are taken on\n                                     vulnerabilities identified on the LMPRS network due to an oversight by\n                                     officials. As a result, LMPRS servers and networks could be vulnerable to\n                                     cyber-related attacks, jeopardizing the integrity and confidentiality of the\n                                     data compiled on tracking and reporting livestock data.\n\n                                     OMB Circular A-13024 requires agencies to maintain security commensurate\n                                     with the risk and magnitude of the harm resulting from the loss, misuse, or\n                                     unauthorized access to or modification of information. This includes\n                                     assuring that systems and applications used by the agency operate effectively\n                                     and provide appropriate confidentiality, integrity, and availability through\n                                     the use of cost-effective management, personnel, operational, and technical\n                                     controls. Departmental guidance25 requires agencies to keep an inventory of\n                                     their network, to perform monthly network scans, and to develop and\n                                     implement corrective action plans to address critical vulnerabilities. Federal\n                                     guidance26 also states that contractors are held to the same security standards\n                                     as Government entities.\n\n                                     We used a commercially available software tool that identifies\n                                     vulnerabilities in network components that use the Transmission Control\n                                     Protocol/Internet Protocol (the protocol used on the public Internet). We\n                                     found one medium-risk and no high-risk vulnerabilities on LMPRS network\n                                     routers, switches, and servers. The medium-risk vulnerability was a\n                                     software analysis function that was enabled and could be exploited.\n                                     Sensitive system information could be obtained and used to further attack\n                                     the servers.\n\n                                     MNB officials stated that they did not realize that they needed to (1) scan\n                                     servers before placing the servers on the network, (2) include IP addresses\n                                     for routers and switches in the scanning process, and (3) develop corrective\n                                     action plans to address identified vulnerabilities. In a prior audit,27 we\n                                     reported that network scans were not being performed. The officials stated\n                                     the internal servers that were not part of LMPRS were being scanned\n                                     regularly as a result of the prior audit. The MNB official stated that because\n                                     the LMPRS servers are outside the USDA network (see diagram on page 2)\n                                     that they were overlooked. The AMS CIO stated that he was not aware that\n                                     scans of the LMPRS network were not being performed and told the\n                                     appropriate staff that all AMS servers should be scanned including those\n                                     external to the USDA network. During the audit fieldwork, MNB started\n\n24\n   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d section A, dated November 28, 2000\n25\n   DM 3500-2, Cyber Security Manual, Chapter 6, part 1, dated April 4, 2003\n26\n    Federal Information Security Management Act of 2002, dated December 17, 2002\n27\n   Audit Report No. 10099-1-FM, \xe2\x80\x9cSecurity Over Information Technology Resources at the Agricultural Marketing Service,\xe2\x80\x9d dated March 2002\n\x0c                  performing monthly scans of the LMPRS servers and plans to add scans of\n                  the switches and routers soon. Due to our audit work, AMS became aware\n                  that the facility contractor had a process in place for identifying and\n                  mitigating network vulnerabilities; however, assurance of this fact was not\n                  mentioned in the statement of work or contract for hosting the\n                  LMPRS system. The AMS CIO stated that his office formed a new Cyber\n                  Security Branch in June 2004 that will be more involved with each of the\n                  AMS program areas.\n\nRecommendation No. 7\n\n                  Establish and implement management controls to ensure that the\n                  LMPRS security plan conforms to Federal and Departmental regulations,\n                  including the requirement that appropriate waivers for existing and future\n                  LMPRS noncompliant conditions are requested and each area of the plan is\n                  completely addressed.\n\n                  Agency Response. AMS concurs with this recommendation. MNB will\n                  work with the newly establish Cyber Security Branch to ensure that the\n                  LMPRS security plan conforms to Federal and Departmental regulations,\n                  including appropriate waivers for noncompliant conditions. No later than\n                  May 31, 2005, MNB and the Cyber Security Branch will ensure that the\n                  LMPRS security plan is updated as appropriate. On December 13, 2004,\n                  AMS provided correspondence with the following clarification: Further, no\n                  later than September 2005, management controls will be established and\n                  implemented to ensure future security plans conform with Federal and\n                  Departmental regulations.\n\n                  OIG Position.         We accept the AMS management decision for\n                  Recommendation No. 7. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of management controls to\n                  ensure that the LMPRS security plan conforms to Federal and Departmental\n                  regulations, including an updated LMPRS security plan.\n\nRecommendation No. 8\n\n                  Establish and implement management controls to ensure POA&M data is\n                  compiled and updated as required for LMPRS.\n\n                  Agency Response. AMS concurs with this recommendation. MNB and\n                  Cyber Security Branch staff will ensure a POA&M is completed for the\n                  LMPRS by January 31, 2005. On December 13, 2004, AMS provided\n                  correspondence with the following clarification: Further, no later than\n                  September 2005, management controls will be established to ensure that\n                  POA&M data will be routinely updated in the future.\n\x0c                  OIG Position.      We accept the AMS management decision for\n                  Recommendation No. 8. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of a completed POA&M that\n                  includes LMPRS data.\n\nRecommendation No. 9\n\n                  Establish and implement management controls to ensure that the appropriate\n                  agency personnel are aware of Departmental requirements for information\n                  security, including security plans, POA&M data, and network scans.\n\n                  Agency Response. AMS concurs with this recommendation. AMS will\n                  supplement Departmental guidance with written agency directives regarding\n                  the use of system security plans, network patching and scanning, and\n                  POA&M reporting by September 2005.\n\n                  OIG Position.       We accept the AMS management decision for\n                  Recommendation No. 9. In our opinion, final action will be completed when\n                  AMS provides OCFO/PAD documentation of the written agency directives\n                  for system security plans, network patching and scanning, and POA&M\n                  reporting.\n\nRecommendation No. 10\n\n                  Establish and implement management controls for the certification,\n                  accreditation, and periodic recertification of the LMPRS application.\n\n                  Agency Response. AMS concurs with this recommendation. The\n                  LMPRS application was certified and accredited on September 9, 2004.\n                  AMS will ensure that the LMPRS application is recertified as required by\n                  Federal and Departmental guidance. On December 13, 2004, AMS provided\n                  correspondence with the following clarification: Further, no later than\n                  September 2005, management controls will be established and implemented\n                  to ensure the LMPRS application will be recertified as required by Federal\n                  and Departmental guidance.\n\n                  OIG Position.         We accept the AMS management decision for\n                  Recommendation No. 10. In our opinion, final action will be completed\n                  when AMS provides OCFO/PAD documentation that the LMPRS\n                  application has been certified and accredited.\n\nRecommendation No. 11\n\n                  Establish and implement management controls to perform monthly network\n                  scans of LMPRS and develop corrective action plans for critical\n                  vulnerabilities.\n\x0c                  Agency Response. AMS concurs with this recommendation. MNB\n                  began monthly scans of the LMPRS network during the OIG review. Any\n                  critical vulnerability that is identified is provided to the contractor for\n                  appropriate mitigation. Any corrective action taken (e.g., security patches)\n                  is documented in the system documentation. No later than May 31, 2005,\n                  the Trusted Facilities Manual will be modified to include the procedures for\n                  performing scans and addressing any corrective action required.\n\n                  OIG Position.        We accept the AMS management decision for\n                  Recommendation No. 11. In our opinion, final action will be completed\n                  when AMS provides OCFO/PAD documentation of the written procedures\n                  for performing scans and addressing any corrective action required.\n\nRecommendation No. 12\n\n                  Establish and implement management controls to ensure contracts with\n                  service organizations include coverage of vulnerability identification and\n                  mitigation, such as router scans.\n\n                  Agency Response. AMS concurs with this recommendation. The only\n                  AMS service agreement that involves contractor support for vulnerability\n                  identification and mitigation is the LMPRS agreement. MNB will modify\n                  the LMPRS service agreement upon its renewal in September 2005 to\n                  specify vulnerability identification and mitigation services. On\n                  December 13, 2004, AMS provided correspondence with the following\n                  clarification: Further, no later than September 2005, management controls\n                  will be established and implemented to ensure that any future contracts will\n                  include coverage of vulnerability and mitigation.\n\n                  OIG Position.      We accept the AMS management decision for\n                  Recommendation No. 12. In our opinion, final action will be completed\n                  when AMS provides OCFO/PAD documentation that the LMPRS contract\n                  has been modified to include vulnerability identification and mitigation\n                  services.\n\x0cGeneral Comments\n                                      We determined that the operations of two of the four LMPRS contractors\n                                      have had some level of review by a third party. Professional auditing\n                                      standards28 state that when a user organization uses a service organization,\n                                      transactions that affect the user organization\xe2\x80\x99s financial statements are\n                                      subjected to controls that are, at least in part, physically and operationally\n                                      separate from the user organization. Service organizations include bank\n                                      trust departments that invest and service assets for employee benefit plans or\n                                      for others, mortgage bankers that service mortgages for others, and\n                                      application service providers that provide packaged software applications,\n                                      and a technology environment that enables customers to process financial\n                                      and operational transactions.\n\n                                      External users of the LMPRS application rely on the data for financial\n                                      decisions such as the purchase and sale of livestock. Therefore, we believe\n                                      that it would be prudent for MNB to require reviews for the LMPRS\n                                      contractors, which are conducted based on the above-mentioned professional\n                                      auditing standards.\n\n\n\n\n28\n  American Institute of Certified Public Accountants Professional Standards, AU Section 324: Service Organizations, as amended by applicable\nstatements on auditing standards\n\x0cScope and Methodology\n          Our audit was part of a nationwide audit of selected USDA agencies. We\n          selected AMS\xe2\x80\x99 LMPRS application from a listing submitted in November\n          2003 by USDA agencies of their major applications and general support\n          systems needing to be certified and accredited by September 2004 to OCIO.\n          The application was chosen based on it being mission critical and our\n          knowledge of previous agency audits.           The Livestock and Grain\n          MNB Headquarters is in Washington, D.C., and the two field offices that\n          handle mandatory information are in Des Moines, Iowa, and St. Joseph,\n          Missouri. There are approximately 134 plants that submit mandatory data to\n          the LMPRS application.         We performed audit work at the AMS\n          MNB located in Washington, D.C., and the AMS Des Moines Field Office\n          in Des Moines, Iowa. We also visited the application contractor, who\n          developed and maintains the application for AMS, and four judgmentally\n          selected plants. We reviewed the AMS LMPRS activities for fiscal year\n          2004 and other years as necessary to develop the findings. We selected\n          transactions made during the period from October 1 to October 24, 2003,\n          comprised of data from 115 of the 134 plants. We selected 4 of the\n          115 plants to visit. Our fieldwork was performed during and for the period\n          January 2004 thorough July 2004.\n\n          To accomplish our audit objectives, we performed the following procedures:\n\n          \xe2\x80\xa2   We interviewed responsible agency and contractor officials managing the\n              application system, as well as both agency and plant users of the system.\n\n          \xe2\x80\xa2   We reviewed, tested, and compared LMPRS application policies,\n              procedures, handbooks, and administrative records to the requirements of\n              Federal regulations, Departmental regulations, and other sources.\n\n          \xe2\x80\xa2   We judgmentally selected 4 of 115 plants to examine controls over\n              source documents and submission of LMPRS mandatory information.\n              The plant selections were based on the method of data submission and\n              proximity to the OIG Southwest Regional Office and the AMS\n              Des Moines Field Office.      The controls we examined included\n              authorization, data terminal security, and accuracy of the data\n              submissions. We verified a sample of transaction data submitted by each\n              of the four plants.\n\n          \xe2\x80\xa2   We performed Transmission Control Protocol/Internet             Protocol\n              vulnerability scans on various LMPRS network components.\n\x0cThis audit was conducted in accordance with generally accepted Government\nauditing standards. Therefore, the audit included tests of program and\naccounting records considered necessary to meet the audit objectives.\n\x0cExhibit A \xe2\x80\x93 Agency Response\n                              Exhibit A \xe2\x80\x93 Page 1 of 5\n\x0c\x0c\x0c\x0c\x0c"